Microsoft disclosed two critical vulnerabilities in its Semantic Kernel framework that allow attackers to execute arbitrary code on AI agent hosts through simple text prompts, raising urgent questions about the security of AI agent frameworks across the industry. On May 7, 2026, the company confirmed what security researchers have warned about for months: once a language model is connected to tools and functions, prompt injection attacks transform from annoying text tricks into a direct path to remote code execution.

What Are These Vulnerabilities and How Do They Work?

The first vulnerability, CVE-2026-25592, lives in Semantic Kernel's SessionsPythonPlugin, a built-in tool for running AI-generated Python code inside Azure Container Apps. A developer accidentally tagged an internal method called DownloadFileAsync with a [KernelFunction] attribute, which tells the language model that this method is available as a tool to call. The problem: the attribute exposed the method's full parameter schema to the model, including a file path parameter that became entirely under the model's control.

An attacker can embed malicious instructions in any document, email, or web content that an AI agent processes. The language model, following those instructions, calls DownloadFileAsync with a payload destination in the Windows Startup folder. Semantic Kernel automatically invokes the function without asking the user. On the next system restart, the payload executes with full system privileges. This vulnerability carries a CVSS score of 10.0, the highest possible severity rating.

The second vulnerability, CVE-2026-26030, affects the Python SDK and is more fundamental in nature. Semantic Kernel's InMemoryVectorStore, a common choice for retrieval-augmented generation (RAG) prototypes that frequently end up in production systems, builds its filter expressions as Python lambdas and executes them using eval(). The filter input can come directly from attacker-controlled content stored in the vector database itself. A malicious record injected into a RAG corpus can execute arbitrary Python code the moment a search query triggers filtering. This vulnerability has a CVSS score of 9.8.

Why Should Organizations Care About This Pattern?

Microsoft's security team made an unusually direct statement about the broader implications: "Readers should expect analogous flaws in LangChain, CrewAI, AutoGen and other agent frameworks." This warning carries significant weight because the underlying pattern is identical across every major agent framework. Language models are given access to rich tool registries; external content can influence what those models do; and frameworks that pass language model-controlled parameters to sensitive functions without validation are vulnerable.

The same week these vulnerabilities were disclosed, PraisonAI was exploited within four hours of its vulnerability disclosure, and a critical remote code execution flaw emerged in OpenClaw through a malicious link. These are not isolated incidents or theoretical concerns. They represent a systemic architectural problem in how AI agents are currently designed and deployed.

How to Secure AI Agents Against These Attacks

• Upgrade Immediately: Update Python SDK to semantic-kernel version 1.39.4 or later, and.NET SDK to Microsoft.SemanticKernel.Core version 1.71.0 or later. These patches address both vulnerabilities directly.
• Disable Auto-Invocation: Turn off auto-invocation on any agent with access to disk, shell, credentials, or production data. When auto-invocation is enabled (the default in most frameworks), the language model can call any registered tool without explicit code approval. Disabling it forces the model to only recommend tool calls; your code decides whether to execute them. This breaks prompt injection attacks at the execution boundary.
• Audit Function Tags: Review all [KernelFunction] tags in your codebase to verify that no unintended methods are exposed to your language model. This is a straightforward code review task that prevents accidental exposure.
• Replace InMemoryVectorStore: Remove InMemoryVectorStore from production environments immediately. It was not designed to handle untrusted input at scale. Replace it with audited backends like Azure AI Search, Qdrant, or Chroma.
• Never Use eval() with Language Model Output: This principle extends well beyond Semantic Kernel. Never pass language model-controlled strings to eval() or similar code execution functions in any framework or language.

"The lowest-effort, highest-leverage hardening is to disable auto-invocation on any agent that can reach disk, shell, or production data, and run those agents in manual function calling mode," stated Microsoft's security team.

Microsoft Security Blog, May 7, 2026

The patches are publicly available, and the attack vectors are documented. The exploitation window is open right now for any unpatched Semantic Kernel instance running in production. Organizations using Semantic Kernel should treat these updates as emergency patches, not routine maintenance.

This disclosure highlights a fundamental tension in AI agent architecture: the more tools and functions you expose to a language model, the more attack surface you create. As enterprises move toward more autonomous AI agents with access to critical systems, the security implications of this design pattern will only become more severe. The industry is still in the early stages of understanding how to build AI agents that are both capable and secure.